package org.picketlink.identity.federation.core.wstrust.plugins.saml;

import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.File;
import java.io.FileReader;
import java.io.FileWriter;
import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.xml.bind.JAXBException;
import javax.xml.namespace.QName;
import org.apache.log4j.Logger;
import org.openxri.xml.Tags;
import org.openxri.xri3.impl.XRI3Constants;
import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator;
import org.picketlink.identity.federation.core.saml.v2.factories.SAMLAssertionFactory;
import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
import org.picketlink.identity.federation.core.saml.v2.util.StatementUtil;
import org.picketlink.identity.federation.core.wstrust.SecurityTokenProvider;
import org.picketlink.identity.federation.core.wstrust.StandardSecurityToken;
import org.picketlink.identity.federation.core.wstrust.WSTrustConstants;
import org.picketlink.identity.federation.core.wstrust.WSTrustException;
import org.picketlink.identity.federation.core.wstrust.WSTrustRequestContext;
import org.picketlink.identity.federation.core.wstrust.WSTrustUtil;
import org.picketlink.identity.federation.core.wstrust.wrappers.Lifetime;
import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
import org.picketlink.identity.federation.saml.v2.assertion.AudienceRestrictionType;
import org.picketlink.identity.federation.saml.v2.assertion.ConditionsType;
import org.picketlink.identity.federation.saml.v2.assertion.KeyInfoConfirmationDataType;
import org.picketlink.identity.federation.saml.v2.assertion.SubjectType;
import org.picketlink.identity.federation.ws.policy.AppliesTo;
import org.picketlink.identity.federation.ws.trust.StatusType;
import org.picketlink.identity.federation.ws.wss.secext.KeyIdentifierType;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/picketlink-fed-core-1.0.2.jar:org/picketlink/identity/federation/core/wstrust/plugins/saml/SAML20TokenProvider.class */
public class SAML20TokenProvider implements SecurityTokenProvider {
    private static Logger logger = Logger.getLogger(SAML20TokenProvider.class);
    private static final String CANCELED_IDS_FILE = "CanceledIdsFile";
    private Set<String> cancelledIds;
    private File canceledIdsFile;
    private Map<String, String> properties;

    @Override // org.picketlink.identity.federation.core.wstrust.SecurityTokenProvider
    public void initialize(Map<String, String> map) {
        this.properties = map;
        this.cancelledIds = new HashSet();
        String str = this.properties.get(CANCELED_IDS_FILE);
        if (str == null && logger.isDebugEnabled()) {
            logger.debug("File to store canceled ids has not been specified: ids will not be persisted!");
        } else if (str != null) {
            this.canceledIdsFile = new File(str);
            loadCanceledIds();
        }
    }

    @Override // org.picketlink.identity.federation.core.wstrust.SecurityTokenProvider
    public void cancelToken(WSTrustRequestContext wSTrustRequestContext) throws WSTrustException {
        Element cancelTargetElement = wSTrustRequestContext.getRequestSecurityToken().getCancelTargetElement();
        if (cancelTargetElement == null) {
            throw new WSTrustException("Invalid cancel request: missing required CancelTarget");
        }
        Element element = (Element) cancelTargetElement.getFirstChild();
        if (!isAssertion(element)) {
            throw new WSTrustException("CancelTarget doesn't not contain a SAMLV2.0 assertion");
        }
        storeCanceledId(element.getAttribute(Tags.ATTR_ID_CAP));
    }

    @Override // org.picketlink.identity.federation.core.wstrust.SecurityTokenProvider
    public void issueToken(WSTrustRequestContext wSTrustRequestContext) throws WSTrustException {
        String str;
        String create = IDGenerator.create("ID_");
        Lifetime lifetime = wSTrustRequestContext.getRequestSecurityToken().getLifetime();
        AudienceRestrictionType audienceRestrictionType = null;
        AppliesTo appliesTo = wSTrustRequestContext.getRequestSecurityToken().getAppliesTo();
        if (appliesTo != null) {
            audienceRestrictionType = SAMLAssertionFactory.createAudienceRestriction(WSTrustUtil.parseAppliesTo(appliesTo));
        }
        ConditionsType createConditions = SAMLAssertionFactory.createConditions(lifetime.getCreated(), lifetime.getExpires(), audienceRestrictionType);
        Principal callerPrincipal = wSTrustRequestContext.getCallerPrincipal();
        KeyInfoConfirmationDataType keyInfoConfirmationDataType = null;
        if (wSTrustRequestContext.getOnBehalfOfPrincipal() != null) {
            callerPrincipal = wSTrustRequestContext.getOnBehalfOfPrincipal();
            str = SAMLUtil.SAML2_SENDER_VOUCHES_URI;
        } else if (wSTrustRequestContext.getProofTokenInfo() != null) {
            str = SAMLUtil.SAML2_HOLDER_OF_KEY_URI;
            keyInfoConfirmationDataType = SAMLAssertionFactory.createKeyInfoConfirmation(wSTrustRequestContext.getProofTokenInfo());
        } else {
            str = "urn:oasis:names:tc:SAML:2.0:cm:bearer";
        }
        SubjectType createSubject = SAMLAssertionFactory.createSubject(SAMLAssertionFactory.createNameID(null, "urn:picketlink:identity-federation", callerPrincipal == null ? "ANONYMOUS" : callerPrincipal.getName()), SAMLAssertionFactory.createSubjectConfirmation(null, str, keyInfoConfirmationDataType));
        ArrayList arrayList = null;
        Map<String, Object> claimedAttributes = wSTrustRequestContext.getClaimedAttributes();
        if (claimedAttributes != null) {
            arrayList = new ArrayList();
            arrayList.add(StatementUtil.createAttributeStatement(claimedAttributes));
        }
        try {
            wSTrustRequestContext.setSecurityToken(new StandardSecurityToken(wSTrustRequestContext.getRequestSecurityToken().getTokenType().toString(), SAMLUtil.toElement(SAMLAssertionFactory.createAssertion(create, SAMLAssertionFactory.createNameID(null, null, wSTrustRequestContext.getTokenIssuer()), lifetime.getCreated(), createConditions, createSubject, arrayList)), create));
            KeyIdentifierType createKeyIdentifier = WSTrustUtil.createKeyIdentifier(SAMLUtil.SAML2_VALUE_TYPE, XRI3Constants.FRAGMENT_PREFIX + create);
            HashMap hashMap = new HashMap();
            hashMap.put(new QName(WSTrustConstants.WSSE11_NS, "TokenType"), SAMLUtil.SAML2_TOKEN_TYPE);
            wSTrustRequestContext.setAttachedReference(WSTrustUtil.createRequestedReference(createKeyIdentifier, hashMap));
        } catch (Exception e) {
            throw new WSTrustException("Failed to marshall SAMLV2 assertion", e);
        }
    }

    @Override // org.picketlink.identity.federation.core.wstrust.SecurityTokenProvider
    public void renewToken(WSTrustRequestContext wSTrustRequestContext) throws WSTrustException {
        Element renewTargetElement = wSTrustRequestContext.getRequestSecurityToken().getRenewTargetElement();
        if (renewTargetElement == null) {
            throw new WSTrustException("Invalid renew request: missing required RenewTarget");
        }
        Element element = (Element) renewTargetElement.getFirstChild();
        if (!isAssertion(element)) {
            throw new WSTrustException("RenewTarget doesn't not contain a SAMLV2.0 assertion");
        }
        try {
            AssertionType fromElement = SAMLUtil.fromElement(element);
            if (this.cancelledIds.contains(fromElement.getID())) {
                throw new WSTrustException("Assertion with id " + fromElement.getID() + " is canceled and cannot be renewed");
            }
            ConditionsType conditions = fromElement.getConditions();
            conditions.setNotBefore(wSTrustRequestContext.getRequestSecurityToken().getLifetime().getCreated());
            conditions.setNotOnOrAfter(wSTrustRequestContext.getRequestSecurityToken().getLifetime().getExpires());
            String create = IDGenerator.create("ID_");
            try {
                wSTrustRequestContext.setSecurityToken(new StandardSecurityToken(wSTrustRequestContext.getRequestSecurityToken().getTokenType().toString(), SAMLUtil.toElement(SAMLAssertionFactory.createAssertion(create, fromElement.getIssuer(), wSTrustRequestContext.getRequestSecurityToken().getLifetime().getCreated(), conditions, fromElement.getSubject(), fromElement.getStatementOrAuthnStatementOrAuthzDecisionStatement())), create));
                KeyIdentifierType createKeyIdentifier = WSTrustUtil.createKeyIdentifier(SAMLUtil.SAML2_VALUE_TYPE, XRI3Constants.FRAGMENT_PREFIX + create);
                HashMap hashMap = new HashMap();
                hashMap.put(new QName(WSTrustConstants.WSSE11_NS, "TokenType"), SAMLUtil.SAML2_TOKEN_TYPE);
                wSTrustRequestContext.setAttachedReference(WSTrustUtil.createRequestedReference(createKeyIdentifier, hashMap));
            } catch (Exception e) {
                throw new WSTrustException("Failed to marshall SAMLV2 assertion", e);
            }
        } catch (JAXBException e2) {
            throw new WSTrustException("Error unmarshalling assertion", e2);
        }
    }

    @Override // org.picketlink.identity.federation.core.wstrust.SecurityTokenProvider
    public void validateToken(WSTrustRequestContext wSTrustRequestContext) throws WSTrustException {
        if (logger.isTraceEnabled()) {
            logger.trace("SAML V2.0 token validation started");
        }
        Element validateTargetElement = wSTrustRequestContext.getRequestSecurityToken().getValidateTargetElement();
        if (validateTargetElement == null) {
            throw new WSTrustException("Bad validate request: missing required ValidateTarget");
        }
        String str = WSTrustConstants.STATUS_CODE_VALID;
        String str2 = "SAMLV2.0 Assertion successfuly validated";
        AssertionType assertionType = null;
        Element element = (Element) validateTargetElement.getFirstChild();
        if (isAssertion(element)) {
            try {
                assertionType = SAMLUtil.fromElement(element);
            } catch (JAXBException e) {
                throw new WSTrustException("Unmarshalling error:", e);
            }
        } else {
            str = WSTrustConstants.STATUS_CODE_INVALID;
            str2 = "Validation failure: supplied token is not a SAMLV2.0 Assertion";
        }
        if (this.cancelledIds.contains(assertionType.getID())) {
            str = WSTrustConstants.STATUS_CODE_INVALID;
            str2 = "Validation failure: assertion with id " + assertionType.getID() + " is canceled";
        }
        try {
            if (AssertionUtil.hasExpired(assertionType)) {
                str = WSTrustConstants.STATUS_CODE_INVALID;
                str2 = "Validation failure: assertion expired or used before its lifetime period";
            }
        } catch (Exception e2) {
            str = WSTrustConstants.STATUS_CODE_INVALID;
            str2 = "Validation failure: unable to verify assertion lifetime: " + e2.getMessage();
        }
        StatusType statusType = new StatusType();
        statusType.setCode(str);
        statusType.setReason(str2);
        wSTrustRequestContext.setStatus(statusType);
    }

    private boolean isAssertion(Element element) {
        return element != null && Tags.TAG_ASSERTION.equals(element.getLocalName()) && "urn:oasis:names:tc:SAML:2.0:assertion".equals(element.getNamespaceURI());
    }

    private void loadCanceledIds() {
        try {
            if (!this.canceledIdsFile.exists()) {
                if (logger.isDebugEnabled()) {
                    logger.debug("File " + this.canceledIdsFile.getCanonicalPath() + " doesn't exist and will be created");
                }
                this.canceledIdsFile.createNewFile();
            }
            BufferedReader bufferedReader = new BufferedReader(new FileReader(this.canceledIdsFile));
            for (String readLine = bufferedReader.readLine(); readLine != null; readLine = bufferedReader.readLine()) {
                this.cancelledIds.add(readLine);
            }
            bufferedReader.close();
        } catch (IOException e) {
            if (logger.isDebugEnabled()) {
                logger.debug("Error opening canceled ids file: " + e.getMessage());
            }
            e.printStackTrace();
        }
    }

    public synchronized void storeCanceledId(String str) {
        if (this.canceledIdsFile != null) {
            try {
                BufferedWriter bufferedWriter = new BufferedWriter(new FileWriter(this.canceledIdsFile, true));
                bufferedWriter.write(str + "\n");
                bufferedWriter.close();
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
        this.cancelledIds.add(str);
    }
}
